May 10, 2012Dear Senator,We, the undersigned organizations, write to express our deep concerns with S. 2105, the CyberSecurity Act of 2012. In particular, we are concerned that the information-sharing provisions in
Title VII allow companies, “notwithstanding any law,” to share s
ensitive Internet and otherinformation with the government without sufficient privacy safeguards, oversight oraccountability.We understand S. 2105 is scheduled to be on the Senate floor next week. We urge you tooppose S. 2105 in its current form and to support amendments that address each of thefollowing threats to privacy and civil liberties:
S. 2105 undermines privacy and cybersecurity by expanding without justification theauthority for companies to monitor their clients' and customers' Internet usage for broadly-defined "cybersecurity threats," by authorizing ill-defined "countermeasures" against such"cybersecurity threats," and by immunizing companies against liability for monitoring activitiesthat violate their own contractual obligations.
• S. 2105 creates an exemption from all existing privacy laws to allow companies to share
communications and records with the government, even if those personal records are notnecessary to describe a cybersecurity threat.
S. 2105 directs the Department of Homeland Security to designate the government
agencies that will serve as “exchanges” to receive the information from the private sector, yet
the bill would still allow the NSA and other defense agencies to be designated as exchanges,thereby permitting companies to share private information directly with the military.
• S. 2105 allows information collected for cybersecurity purposes to be used in criminal
investigations unrelated to cybersecurity if the info
rmation merely “appears to relate to a crimewhich has been, is being or is about to be committed”—
thus circumventing longstanding FourthAmendment protections that require warrants or other processes designed to protect privacy.
• S. 2105 lacks
key meaningful oversight provisions such as mandatory Inspector Generalreviews; the only independent oversight required is a single report by the Privacy and CivilLiberties Oversight Board, an entity which will only come into existence if the Senate confirmsthe five nominees to the Board.
• S. 2105 grants legal immunity to entities that share information
that is so broad that itoverrides even the contracts companies make with their customers, preventing them fromcompeting on privacy grounds through enforceable promises to their users to protect privacyand by failing to give customers effective legal recourse for violations of what little privacyprotections the bill offers.